Wednesday, September 24, 2014

Bash 'shellshock' scan of the Internet

NOTE: malware is now using this as their User-agent. I haven't run a scan now for over two days.

I'm running a scan right now of the Internet to test for the recent bash vulnerability, to see how widespread this is. My scan works by stuffing a bunch of "ping home" commands in various CGI variables. It's coming from IP address 209.126.230.72.

A discussion of the results is at the next blogpost here. The upshot is this: while this scan found only a few thousand systems (because it's intentionally limited), it looks like the potential for a worm is high.

Can you give some more information on your test and what you're looking for? I tried this on a fresh ubuntu system with apache2 installed, vulnerable, nothing. Updated to get a view of what a clean image looks like. Also ran it against Metasploitable.

I know the majority of systems won't respond as vulnerable (as you mentioned in your wormable post). Do you have anything about the proper setup for a system that would report vulnerable so I can get an eye on what to look for?

For those saying that their PHP code detected the invalid host header... know that it doesn't matter, the exploitation happens higher in the chain of calls. In most CGI uses of PHP, you are still vulnerable.

Some people see scans with the same info but from a different IP address. Since the second scan is more dangerous, I suspect they are masquerading as you: http://seenthis.net/messages/296476#message296546

Arthur, I am getting scanned by them too. It is a machine hosted at snel.com (send email with logs to report@abuse.bz) in the netherlands, but it is sending pings to a rackspace server in the US (texas). It is unclear who is running the attack.

I have also had attempted exploits from pwn.nixon-security.se and others.

Regarding comments about earlier versions of Debian and Ubuntu, the example given used /bin/sh rather than /bin/bash.

env X="() { :;} ; echo busted" /bin/sh -c "echo stuff"

Now try replace /bin/sh with /bin/bash

On those distributions you'll find that by default /bin/sh is a symbolic link to dash, another shell which does not have the problem. This is helpful for CGI scripts that use #!/bin/sh but you'll still need to patch bash.

For systems running older software distributions where a patch may not be available, the instructions at the following link on how to compile an updated and patched bash might be useful:

I don't understand how this exploit works when just hitting the root path of the server. My understanding is it requires a CGI script that is written or calls bash to be exploitable. Is this from broken http servers?

Very interesting. I can't get any tests to work with curl. I fired up a sample of your masscan and shiazm I can get hundreds of hosts to ping me. But I can't get a single one to report break when I test w/

@all keep in mind that the user agent is completely arbitrary, anybody using the examples will use the URL from the blog post. We have seen the url in scans on some machines, but that doesn't mean that its really from the original script.

@Chrstfer unless you have an IPS, the easiest way is to add something at the top of each php page (or what you are using) and match the header vars against the exploit string and log that (will not help for actual cgi exploits since it may happen before the script gets called)

@zyphlar php is not directly exploitable since it doesn't set env vars and doesn't call bash, this is more likely a validation issue in your scripts

@tillo that is not correct, CGI by itself is not exploitable and mod_php does not even use CGI

@S whether it is illegal or not will not help you when your site goes down ...

@Mrityunjay Ranjan bourne shell isn't (there is no bourne shell on linux or freebsd of course due to licensing), freebsd will usually have bash, but not as /bin/sh replacement

@jah richie rails does not use CGI, so not directly, it may be due to other issues (unlikely)

@SojuMaster the issue is present e.g. in cygwin, but unless you run a webserver, its unlikely that its exploitable

@shawn updating bash requires root, the exploit will run as the local user (e.g. wwwrun)

Thx @Alexnader for all the replies. I do understand that / is most likely not a CGI. But when I run masscan with the supplied config it finds hosts. I then picked one to test w/ curl and could not reproduce any of the same results.

What is masscan doing different besides that curl is passing -A (user-agent).. ?

If it is not working with curl, it should be possible to create a http request and send that with netcat. It will only work with CGI scripts unless anther web API also communicates with enviroment vars and runs a shell script afterwards, mod_php and similar things like tomcat will not do that. (I wonder why it happens with akamai, though)